By Kade Crockford, Director, ACLU of Massachusetts Technology for Liberty Project at 3:36pm

Yesterday Andy Greenberg of Forbes published some shocking information, courtesy of a FOIA project done by our friends over at the Electronic Privacy Information Center (EPIC): US Customs and Border Protection is sharing our license plate information with private insurance companies, without any public debate or even forthright public disclosure.

From Forbes:

The FOIA’d records include memos outlining the sharing of that license plate data between the Department of Homeland Security’s Customs and Border Protection, the Drug Enforcement Agency, and most significantly, the National Insurance Crime Bureau, an Illinois non-profit composed of hundreds of insurance firms including branches of Allstate, GEICO, Liberty, Nationwide, Progressive, and State Farm….

According to a 2005 “memorandum of understanding” included in EPIC’s document release, license-plate reader “information on vehicles departing from and arriving into the United States will be provided to the [National Insurance Crime Bureau or] NICB for the purpose of deterring the export of stolen vehicles, identifying vehicle theft patterns and trends…and returning vehicles to the rightful parties of interest.” The data can also be used, according to the document, to identify so-called “owner-give-up” insurance fraud, in which a vehicle’s owner fakes its theft by giving it to a friend and claiming it as stolen.

The documents also reveal data sharing arrangements between the Department of Homeland Security and the Drug Enforcement Agency, which has been quietly working to expand its own license plate tracking system throughout the country on major highways—far from US borders. A memorandum of understanding between the two agencies says that they will share license plate recognition data with the other “at regular intervals and in a manner specified in a separate, service-level agreement between the parties.” The memorandum further states that this license plate data can be freely shared with “intelligence, operations, and fusion centers” nationwide.

In other words, our worst fears about license plate recognition technology appear to be unfolding. The government is creating large pools of our location information and sharing it widely among law enforcement agencies nationwide, absent any mention of connections to investigations or criminal activity.

As of June 2012, the CBP operated 110 license plate readers at outgoing border checkpoints throughout the United States, according to the released documents. The documents reveal that the agency retains for two years the license plate information of millions of drivers who enter or exit the country via automobile at land borders between the US and Mexico, and the US and Canada. But as Greenberg points out, the two-year retention period doesn’t apply if the information is shared outside the agency, so that limit may not be at all meaningful.

Government agencies, private companies and our private data

We also don’t know exactly how far our license plate data is spreading within the private sector. While the agreement between US Customs and the private insurance industry organization NICB explicitly states that the latter “may not use the information obtained from CBP for commercial purposes or sell the information obtained from CBP to any third party,” the list of companies that have access to the data as a result of membership in NICB is long. More troubling still, the agreement says that the NICB “may outsource data entry, database and telecommunications maintenance, and operation functions relating to the LPR database(s) to a data processing service (DPS).”

The agreement provides for no external oversight of these private companies and their management of our license plate data. In other words, US Customs allows not only the NICB but also the sub-contracted “data processing service” corporations that manage our license plate data to self-police when it comes to preventing fraud, abuse or other mis-use of our information. US Customs says that “NICB will require that any recipient of LPR information from NICB immediately report misuse of LPR information to NICB who will then report the misuse to CBP.”

In short, US Customs is granting a private company access to what it admits is “highly sensitive commercial, financial, and proprietary information,” and then further allowing the private company to outsource the management of that “highly sensitive” data to yet another private company. The only auditing and accountability mechanisms required are self-policing and self-reporting.

These documents reveal a growing problem that extends far beyond the management of license plate data. The government is increasingly collecting vast quantities of information about ordinary people accused of no crime, and increasingly it is relying on private contractors to manage, sort and analyze this data looking for crime or even “pre-crime” trends. The sharing of our license plate data with private companies should be viewed as but one troubling example of this much larger problem.